Privacy Policy

ReusePass LLC ("ReusePass," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our customer retention platform located at reusepass.com and related services (collectively, the "Service").

Company Information:
ReusePass LLC
Virginia Beach, Virginia, USA
Email: privacy@reusepass.com

We operate under a privacy-first model. Customers can redeem offers anonymously without creating accounts, while merchants can track campaign performance without accessing personal customer information.

2.1 Merchant Data

When you register as a merchant, we collect:

• Account Information: Email address, password (hashed), business name
• Business Details: Business address, phone number, website
• Payment Information: Processed securely through Stripe (we do not store card details)
• Usage Analytics: Login times, feature usage, campaign performance metrics
• Communications: Support tickets, emails, feedback

2.2 Customer Data

For customers redeeming offers, we collect minimal, anonymous data:

• Device Fingerprints: Anonymous identifiers to track redemption eligibility (no personal information)
• Redemption Data: Timestamps, campaign codes, cooldown status
• Location Data: Approximate location only when necessary for multi-location merchants (city-level)
• Optional Data: Email or phone only if voluntarily provided for merchant communications

2.3 Technical Data

We automatically collect:

• Log Data: IP addresses (anonymized after processing), browser type, operating system
• Device Information: Screen resolution, language preferences, time zone
• Interaction Data: Pages visited, clicks, feature usage patterns
• Performance Data: Load times, error logs, crash reports

2.4 Communication Data

When enabled, we process:

• Push Notifications: Browser push endpoints (anonymous, no personal data)
• Email Communications: Email addresses for merchant alerts (opt-in only)
• SMS (Future): Phone numbers for text alerts (explicit opt-in required)

We use collected data for the following purposes:

3.1 Service Delivery

• Process and manage merchant accounts
• Enable campaign creation and management
• Track anonymous redemptions and enforce cooldown periods
• Generate analytics and reporting for merchants
• Process payments and manage subscriptions

3.2 Platform Improvement

• Analyze usage patterns to improve features
• Conduct A/B testing and performance optimization
• Develop new features based on user behavior
• Create aggregated, anonymized industry insights

3.3 Communication

• Send account-related notifications to merchants
• Deliver push notifications to customers (opt-in only)
• Provide customer support and respond to inquiries
• Send marketing communications (with consent)

3.4 Legal and Security

• Comply with legal obligations and regulations
• Prevent fraud and abuse of the platform
• Enforce our terms of service and policies
• Protect rights, property, and safety of users
• Maintain tax and financial records as required by law

We process personal data under the following legal bases:

4.1 Contract Performance

Processing necessary to fulfill our contract with merchants, including account management, service delivery, and payment processing.

4.2 Legitimate Interests

Processing for our legitimate business interests, including:

• Fraud prevention and platform security
• Service improvement and analytics
• Direct marketing to existing customers (with opt-out)
• Network and information security

4.3 Consent

Processing based on your explicit consent for:

• Push notifications
• Marketing emails
• SMS communications (when launched)
• Optional data collection

4.4 Legal Obligation

Processing necessary to comply with legal requirements, including tax reporting, court orders, and regulatory compliance.

We work with trusted third-party services to provide our platform:

5.1 Infrastructure Providers

• Stripe, Inc.: Payment processing (PCI DSS Level 1 certified)
• Supabase, Inc.: Database hosting (SOC 2 Type II compliant)
• Vercel, Inc.: Web hosting and CDN (ISO 27001 certified)

5.2 Communication Services

• Web Push API: Browser push notifications (Google FCM, Apple APNS)
• Email Service: Transactional and marketing emails
• SMS Provider (Future): Text messaging services (Twilio or similar)

5.3 Data Sharing Principles

• We never sell personal information to third parties
• Third parties process data only as directed by us
• All providers sign data processing agreements
• We conduct due diligence on security practices

6.1 Primary Processing Location

Our primary servers are located in the United States. By using ReusePass, you acknowledge that your data may be transferred to and processed in the United States.

6.2 Transfer Safeguards

For transfers from the EU/EEA to the United States, we implement:

• EU Commission-approved Standard Contractual Clauses
• Technical and organizational security measures
• Data minimization principles
• Encryption in transit and at rest

6.3 Data Localization

We maintain encrypted backups in multiple regions for disaster recovery. All backups are subject to the same security standards as primary data.

7.1 Privacy by Design

ReusePass is built on privacy-first principles:

• No account required to redeem offers
• No personal information collected by default
• Device fingerprinting tracks only redemption eligibility
• Merchants cannot access individual customer data

7.2 Device Fingerprinting Explained

We use browser-based device fingerprinting to:

• Prevent coupon abuse and fraud
• Enforce cooldown periods between redemptions
• Track redemption counts per device
• This does NOT track you across other websites

7.3 Optional Data Collection

You may optionally provide:

• Push Notifications: Browser permission required, can revoke anytime
• Email: Only if you choose to receive merchant updates
• Phone (Future): Only for SMS alerts with explicit consent

7.4 Data Control

As a customer, you can:

• Clear browser data to reset device fingerprint
• Disable push notifications in browser settings
• Opt-out of any communications
• Request data deletion via privacy@reusepass.com

Under GDPR, CCPA, and other privacy laws, you have the following rights:

8.1 Right to Access

Request a copy of the personal data we hold about you. We'll provide this in a structured, commonly used format (JSON).

8.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, except where we have legal obligations to retain it.

8.4 Right to Restrict Processing

Request that we limit how we use your personal data.

8.5 Right to Data Portability

Receive your data in a machine-readable format to transfer to another service.

8.6 Right to Object

Object to processing based on legitimate interests or direct marketing.

8.7 Rights Related to Automated Decision-Making

We do not use fully automated decision-making that produces legal effects.

8.8 How to Exercise Your Rights

Email privacy@reusepass.com with your request. We'll respond within 30 days (or as required by applicable law). We may need to verify your identity before processing requests.

9.1 Retention Periods

• Active Merchant Accounts: Retained while account is active
• Canceled Merchant Accounts: 90 days after cancellation
• Customer Redemption Data: 7 years for tax and audit purposes
• Push Subscriptions: Until opt-out or 90 days of inactivity
• Financial Records: 7 years as required by law
• Anonymized Analytics: Retained indefinitely

9.2 Deletion Process

When retention periods expire, we:

• Securely delete personal data from active systems
• Remove data from backups within 90 days
• Retain only anonymized, aggregated data
• Maintain deletion logs for compliance

9.3 Legal Holds

We may retain data longer if required for legal proceedings, regulatory investigations, or compliance obligations.

10.1 Technical Measures

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Controls: Role-based permissions, multi-factor authentication
• Infrastructure: SOC 2 compliant hosting providers
• Monitoring: 24/7 security monitoring and intrusion detection
• Testing: Regular security audits and penetration testing

10.2 Organizational Measures

• Employee confidentiality agreements
• Security awareness training
• Limited access on need-to-know basis
• Vendor security assessments
• Incident response procedures

10.3 Data Breach Response

In the event of a data breach, we will:

• Notify affected users within 72 hours (or as required by law)
• Inform relevant supervisory authorities
• Investigate and document the incident
• Implement measures to prevent recurrence

11.1 Our Cookie Usage

We use only strictly necessary cookies:

• Session Cookies: Maintain logged-in state for merchants
• Security Cookies: Prevent CSRF attacks
• Preference Cookies: Remember language and display settings

11.2 What We Don't Use

• No third-party advertising cookies
• No cross-site tracking
• No social media pixels
• No Google Analytics or similar services

11.3 Device Fingerprinting

For fraud prevention and cooldown enforcement, we use browser-based device fingerprinting that:

• Creates a unique identifier from browser characteristics
• Does not track across websites
• Can be reset by clearing browser data
• Contains no personal information

11.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling cookies may limit platform functionality for merchants.

12.1 Age Restrictions

ReusePass is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13.

12.2 Merchant Responsibility

Merchants must not:

• Target campaigns at children without parental consent
• Collect information from minors through our platform
• Violate COPPA or similar child protection laws

12.3 Parental Rights

If you believe we have inadvertently collected information from a child under 13, please contact privacy@reusepass.com immediately for deletion.

13.1 Push Notifications

• Require explicit browser permission
• Used for cooldown reminders and merchant updates
• Can be disabled in browser settings anytime
• No personal data transmitted

13.2 Email Communications

• Transactional emails for account management
• Marketing emails only with opt-in consent
• Unsubscribe link in every marketing email
• CAN-SPAM and CASL compliant

13.3 SMS (Future Feature)

• Will require express written consent
• TCPA compliant opt-in process
• Easy opt-out via STOP command
• Message frequency and charges disclosed

14.1 GDPR (European Union)

• Full compliance with all GDPR requirements
• Data Processing Agreements with all vendors
• EU representative to be appointed when required
• Privacy by design and default

14.2 CCPA/CPRA (California)

• No sale of personal information
• Consumer rights portal at privacy@reusepass.com
• Annual privacy rights metrics reporting
• "Do Not Sell" not applicable (we never sell data)

14.3 Other Jurisdictions

We maintain compliance readiness for:

• UK GDPR: Post-Brexit compliance
• PIPEDA (Canada): Privacy policies and consent
• LGPD (Brazil): Data protection framework
• Australian Privacy Act: APPs compliance

15.1 Update Process

We may update this Privacy Policy to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Security improvements

15.2 Notification

For material changes, we will:

• Email registered merchants
• Display a prominent notice on the platform
• Update the "Last Updated" date
• Provide a summary of changes

15.3 Acceptance

Continued use of ReusePass after changes indicates acceptance of the updated policy.